Security gain from NAT (was: Re: Cool IPv6 Stuff)

Donald Stahl don at calis.blacksun.org
Tue Jun 5 00:11:32 UTC 2007


> I can give you the root password to a Linux machine running telnetd and
> sshd. If it's behind NAT/PAT, you will not get into it. Period.
I'll give you root password to a half a dozen directly connected Linux 
boxes and you still won't be able to get in.

> I can give you the administrator password to a Windows machine with file
> sharing wide open. If it's behind NAT/PAT, you will not get into it. Period.
The beauty of IPv6 is that Windows can, by default, bind to the Link Local 
address for file sharing and you still won't be able to get into it but 
your local network will still work.

> The only ways into these machines would be if the NAT/PAT device were
> misconfigured, another machine on the secure network were compromised, or
> another gateway into the secure network was set up. Guess what? All of these
> things would defeat a stateful inspection firewall as well.
No one is saying they won't. What people are arguing is that NAT doesn't 
get you anything more than a stateful inspection firewall while at the 
same time breaking a whole lot of other things and introducing unnecessary 
complexity.

> Definitely. So why lie and distory what NAT/PAT actually does do? A large
> class of security vulnerabilities require the attacker to reach out to the
> machine first, and NAT/PAT stops those attacks completely.
The point is simply that SI does this without the complexity and inanity 
that is NAT. If you want to deal with it- go right ahead. But the original 
argument (since we seem to have forgotten) is simply that NAT doesn't get 
you anything that SI doesn't already provide- while at the same time 
making everything a lot more complex.

> Is a car alarm useless because some professtional theives can disable it? Is
> a lock useless because some thieves can pick it? Many exploits only go after
> low-hanging fruit, and NAT/PAT stops them.
For the nth time- so does SI- and it does it without the header mangling, 
complexity and troubleshooting headaches that come with NAT.

No one is denying that NAT works- but it works well because of SI, not 
because of NAT (in fact static NAT does nothing to stop an attack in any 
way shape or form).

The question we are asking you is what does NAT get us over and above SI? 
Because if the answer is nothing- then not having to deal with NAT's 
shortcomings is reason enough to ditch it in favor of straight forward SI.

-Don



More information about the NANOG mailing list